<!DOCTYPE html>
<html lang="en-US">

<head>
	<meta charset='UTF-8'>
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<link rel="profile" href="http://gmpg.org/xfn/11">
		<!--||  JM Twitter Cards by jmau111 v12  ||-->
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:creator" content="@jbradley89">
<meta name="twitter:site" content="@The Mitten Mac">
<meta name="twitter:title" content="Tinyshell Under the Microscope">
<meta name="twitter:description" content="Back in 2018 I presented a talk titled “Macdoored” at a handful of small conferences. This talk was about various APT attacks I’d seen targeting Macs. In the talk I take a minute to mention the">
<meta name="twitter:image" content="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode_args.png?fit=642%2C443&amp;ssl=1">
<!--||  /JM Twitter Cards by jmau111 v12  ||-->
<title>Tinyshell Under the Microscope &#8211; The Mitten Mac</title>
<meta name='robots' content='max-image-preview:large' />
<link rel='dns-prefetch' href='//fonts.googleapis.com' />
<link rel='dns-prefetch' href='//v0.wordpress.com' />
<link rel='dns-prefetch' href='//i0.wp.com' />
<link rel="alternate" type="application/rss+xml" title="The Mitten Mac &raquo; Feed" href="https://themittenmac.com/feed/" />
<link rel="alternate" type="application/rss+xml" title="The Mitten Mac &raquo; Comments Feed" href="https://themittenmac.com/comments/feed/" />
		<!-- This site uses the Google Analytics by MonsterInsights plugin v8.13.1 - Using Analytics tracking - https://www.monsterinsights.com/ -->
		<!-- Note: MonsterInsights is not currently configured on this site. The site owner needs to authenticate with Google Analytics in the MonsterInsights settings panel. -->
					<!-- No UA code set -->
				<!-- / Google Analytics by MonsterInsights -->
		<script type="text/javascript">
window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/themittenmac.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.1.1"}};
/*! This file is auto-generated */
!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");function s(e,t){var a=String.fromCharCode,e=(p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0),i.toDataURL());return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},r=0;r<o.length;r++)t.supports[o[r]]=function(e){if(p&&p.fillText)switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,8203,55356,56819])&&!s([55356,57332,56128,56423,56128,56418,56128,56421,56128,56430,56128,56423,56128,56447],[55356,57332,8203,56128,56423,8203,56128,56418,8203,56128,56421,8203,56128,56430,8203,56128,56423,8203,56128,56447]);case"emoji":return!s([129777,127995,8205,129778,127999],[129777,127995,8203,129778,127999])}return!1}(o[r]),t.supports.everything=t.supports.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",function(){"complete"===a.readyState&&t.readyCallback()})),(e=t.source||{}).concatemoji?c(e.concatemoji):e.wpemoji&&e.twemoji&&(c(e.twemoji),c(e.wpemoji)))}(window,document,window._wpemojiSettings);
</script>
<style type="text/css">
img.wp-smiley,
img.emoji {
	display: inline !important;
	border: none !important;
	box-shadow: none !important;
	height: 1em !important;
	width: 1em !important;
	margin: 0 0.07em !important;
	vertical-align: -0.1em !important;
	background: none !important;
	padding: 0 !important;
}
</style>
	<link rel='stylesheet' id='bootstrap-css' href='https://themittenmac.com/wp-content/themes/hestia/assets/bootstrap/css/bootstrap.min.css?ver=1.0.2' type='text/css' media='all' />
<link rel='stylesheet' id='hestia-font-sizes-css' href='https://themittenmac.com/wp-content/themes/hestia/assets/css/font-sizes.min.css?ver=3.0.29' type='text/css' media='all' />
<link rel='stylesheet' id='solid-syntax-style-css' href='https://themittenmac.com/wp-content/plugins/syntax-highlighter-for-elementor/assets/prism2.css?ver=1.0.6' type='text/css' media='all' />
<link rel='stylesheet' id='wp-block-library-css' href='https://themittenmac.com/wp-includes/css/dist/block-library/style.min.css?ver=6.1.1' type='text/css' media='all' />
<style id='wp-block-library-inline-css' type='text/css'>
.has-text-align-justify{text-align:justify;}
</style>
<link rel='stylesheet' id='mediaelement-css' href='https://themittenmac.com/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css?ver=4.2.17' type='text/css' media='all' />
<link rel='stylesheet' id='wp-mediaelement-css' href='https://themittenmac.com/wp-includes/js/mediaelement/wp-mediaelement.min.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='classic-theme-styles-css' href='https://themittenmac.com/wp-includes/css/classic-themes.min.css?ver=1' type='text/css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--color--accent: #3dd282;--wp--preset--color--background-color: #ffffff;--wp--preset--color--header-gradient: #a81d84;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;}:where(.is-layout-flex){gap: 0.5em;}body .is-layout-flow > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width: var(--wp--style--global--content-size);margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignwide{max-width: var(--wp--style--global--wide-size);}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
.wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;}
:where(.wp-block-columns.is-layout-flex){gap: 2em;}
.wp-block-pullquote{font-size: 1.5em;line-height: 1.6;}
</style>
<link rel='stylesheet' id='fsb-image-css' href='https://themittenmac.com/wp-content/plugins/simple-full-screen-background-image/includes/fullscreen-image.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='hestia-clients-bar-css' href='https://themittenmac.com/wp-content/plugins/themeisle-companion/obfx_modules/companion-legacy/assets/css/hestia/clients-bar.css?ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='hestia_style-css' href='https://themittenmac.com/wp-content/themes/hestia/style.min.css?ver=3.0.29' type='text/css' media='all' />
<style id='hestia_style-inline-css' type='text/css'>
div.wpforms-container-full .wpforms-form div.wpforms-field input.wpforms-error{border:none}div.wpforms-container .wpforms-form input[type=date],div.wpforms-container .wpforms-form input[type=datetime],div.wpforms-container .wpforms-form input[type=datetime-local],div.wpforms-container .wpforms-form input[type=email],div.wpforms-container .wpforms-form input[type=month],div.wpforms-container .wpforms-form input[type=number],div.wpforms-container .wpforms-form input[type=password],div.wpforms-container .wpforms-form input[type=range],div.wpforms-container .wpforms-form input[type=search],div.wpforms-container .wpforms-form input[type=tel],div.wpforms-container .wpforms-form input[type=text],div.wpforms-container .wpforms-form input[type=time],div.wpforms-container .wpforms-form input[type=url],div.wpforms-container .wpforms-form input[type=week],div.wpforms-container .wpforms-form select,div.wpforms-container .wpforms-form textarea,.nf-form-cont input:not([type=button]),div.wpforms-container .wpforms-form .form-group.is-focused .form-control{box-shadow:none}div.wpforms-container .wpforms-form input[type=date],div.wpforms-container .wpforms-form input[type=datetime],div.wpforms-container .wpforms-form input[type=datetime-local],div.wpforms-container .wpforms-form input[type=email],div.wpforms-container .wpforms-form input[type=month],div.wpforms-container .wpforms-form input[type=number],div.wpforms-container .wpforms-form input[type=password],div.wpforms-container .wpforms-form input[type=range],div.wpforms-container .wpforms-form input[type=search],div.wpforms-container .wpforms-form input[type=tel],div.wpforms-container .wpforms-form input[type=text],div.wpforms-container .wpforms-form input[type=time],div.wpforms-container .wpforms-form input[type=url],div.wpforms-container .wpforms-form input[type=week],div.wpforms-container .wpforms-form select,div.wpforms-container .wpforms-form textarea,.nf-form-cont input:not([type=button]){background-image:linear-gradient(#9c27b0,#9c27b0),linear-gradient(#d2d2d2,#d2d2d2);float:none;border:0;border-radius:0;background-color:transparent;background-repeat:no-repeat;background-position:center bottom,center calc(100% - 1px);background-size:0 2px,100% 1px;font-weight:400;transition:background 0s ease-out}div.wpforms-container .wpforms-form .form-group.is-focused .form-control{outline:none;background-size:100% 2px,100% 1px;transition-duration:0.3s}div.wpforms-container .wpforms-form input[type=date].form-control,div.wpforms-container .wpforms-form input[type=datetime].form-control,div.wpforms-container .wpforms-form input[type=datetime-local].form-control,div.wpforms-container .wpforms-form input[type=email].form-control,div.wpforms-container .wpforms-form input[type=month].form-control,div.wpforms-container .wpforms-form input[type=number].form-control,div.wpforms-container .wpforms-form input[type=password].form-control,div.wpforms-container .wpforms-form input[type=range].form-control,div.wpforms-container .wpforms-form input[type=search].form-control,div.wpforms-container .wpforms-form input[type=tel].form-control,div.wpforms-container .wpforms-form input[type=text].form-control,div.wpforms-container .wpforms-form input[type=time].form-control,div.wpforms-container .wpforms-form input[type=url].form-control,div.wpforms-container .wpforms-form input[type=week].form-control,div.wpforms-container .wpforms-form select.form-control,div.wpforms-container .wpforms-form textarea.form-control{border:none;padding:7px 0;font-size:14px}div.wpforms-container .wpforms-form .wpforms-field-select select{border-radius:3px}div.wpforms-container .wpforms-form .wpforms-field-number input[type=number]{background-image:none;border-radius:3px}div.wpforms-container .wpforms-form button[type=submit].wpforms-submit,div.wpforms-container .wpforms-form button[type=submit].wpforms-submit:hover{color:#fff;border:none}.home div.wpforms-container-full .wpforms-form{margin-left:15px;margin-right:15px}div.wpforms-container-full .wpforms-form .wpforms-field{padding:0 0 24px 0 !important}div.wpforms-container-full .wpforms-form .wpforms-submit-container{text-align:right}div.wpforms-container-full .wpforms-form .wpforms-submit-container button{text-transform:uppercase}div.wpforms-container-full .wpforms-form textarea{border:none !important}div.wpforms-container-full .wpforms-form textarea:focus{border-width:0 !important}.home div.wpforms-container .wpforms-form textarea{background-image:linear-gradient(#9c27b0,#9c27b0),linear-gradient(#d2d2d2,#d2d2d2);background-color:transparent;background-repeat:no-repeat;background-position:center bottom,center calc(100% - 1px);background-size:0 2px,100% 1px}@media only screen and(max-width:768px){.wpforms-container-full .wpforms-form .wpforms-one-half,.wpforms-container-full .wpforms-form button{width:100% !important;margin-left:0 !important}.wpforms-container-full .wpforms-form .wpforms-submit-container{text-align:center}}div.wpforms-container .wpforms-form input:focus,div.wpforms-container .wpforms-form select:focus{border:none}.elementor-page .hestia-about>.container{width:100%}.elementor-page .pagebuilder-section{padding:0}.elementor-page .title-in-content,.elementor-page .image-in-page{display:none}.home.elementor-page .main-raised>section.hestia-about{overflow:visible}.elementor-editor-active .navbar{pointer-events:none}.elementor-editor-active #elementor.elementor-edit-mode .elementor-element-overlay{z-index:1000000}.elementor-page.page-template-template-fullwidth .blog-post-wrapper>.container{width:100%}.elementor-page.page-template-template-fullwidth .blog-post-wrapper>.container .col-md-12{padding:0}.elementor-page.page-template-template-fullwidth article.section{padding:0}.elementor-text-editor p,.elementor-text-editor h1,.elementor-text-editor h2,.elementor-text-editor h3,.elementor-text-editor h4,.elementor-text-editor h5,.elementor-text-editor h6{font-size:inherit}.footer-big .footer-menu li a[href*="facebook.com"],.footer-big .footer-menu li a[href*="twitter.com"],.footer-big .footer-menu li a[href*="pinterest.com"],.footer-big .footer-menu li a[href*="google.com"],.footer-big .footer-menu li a[href*="linkedin.com"],.footer-big .footer-menu li a[href*="dribbble.com"],.footer-big .footer-menu li a[href*="github.com"],.footer-big .footer-menu li a[href*="youtube.com"],.footer-big .footer-menu li a[href*="instagram.com"],.footer-big .footer-menu li a[href*="reddit.com"],.footer-big .footer-menu li a[href*="tumblr.com"],.footer-big .footer-menu li a[href*="behance.com"],.footer-big .footer-menu li a[href*="snapchat.com"],.footer-big .footer-menu li a[href*="deviantart.com"],.footer-big .footer-menu li a[href*="vimeo.com"]{color:transparent;font-size:0;padding:10px}.footer-big .footer-menu li a[href*="facebook.com"]:hover,.footer-big .footer-menu li a[href*="twitter.com"]:hover,.footer-big .footer-menu li a[href*="pinterest.com"]:hover,.footer-big .footer-menu li a[href*="google.com"]:hover,.footer-big .footer-menu li a[href*="linkedin.com"]:hover,.footer-big .footer-menu li a[href*="dribbble.com"]:hover,.footer-big .footer-menu li a[href*="github.com"]:hover,.footer-big .footer-menu li a[href*="youtube.com"]:hover,.footer-big .footer-menu li a[href*="instagram.com"]:hover,.footer-big .footer-menu li a[href*="reddit.com"]:hover,.footer-big .footer-menu li a[href*="tumblr.com"]:hover,.footer-big .footer-menu li a[href*="behance.com"]:hover,.footer-big .footer-menu li a[href*="snapchat.com"]:hover,.footer-big .footer-menu li a[href*="deviantart.com"]:hover,.footer-big .footer-menu li a[href*="vimeo.com"]:hover{opacity:1 !important}.footer-big .footer-menu li a[href*="facebook.com"]:hover:before{color:#3b5998}.footer-big .footer-menu li a[href*="twitter.com"]:hover:before{color:#55acee}.footer-big .footer-menu li a[href*="pinterest.com"]:hover:before{color:#cc2127}.footer-big .footer-menu li a[href*="google.com"]:hover:before{color:#dd4b39}.footer-big .footer-menu li a[href*="linkedin.com"]:hover:before{color:#0976b4}.footer-big .footer-menu li a[href*="dribbble.com"]:hover:before{color:#ea4c89}.footer-big .footer-menu li a[href*="github.com"]:hover:before{color:#000}.footer-big .footer-menu li a[href*="youtube.com"]:hover:before{color:#e52d27}.footer-big .footer-menu li a[href*="instagram.com"]:hover:before{color:#125688}.footer-big .footer-menu li a[href*="reddit.com"]:hover:before{color:#ff4500}.footer-big .footer-menu li a[href*="tumblr.com"]:hover:before{color:#35465c}.footer-big .footer-menu li a[href*="behance.com"]:hover:before{color:#1769ff}.footer-big .footer-menu li a[href*="snapchat.com"]:hover:before{color:#fffc00}.footer-big .footer-menu li a[href*="deviantart.com"]:hover:before{color:#05cc47}.footer-big .footer-menu li a[href*="vimeo.com"]:hover:before{color:#1ab7ea}.footer-big .footer-menu li a[href*="facebook.com"]:before,.footer-big .footer-menu li a[href*="twitter.com"]:before,.footer-big .footer-menu li a[href*="pinterest.com"]:before,.footer-big .footer-menu li a[href*="google.com"]:before,.footer-big .footer-menu li a[href*="linkedin.com"]:before,.footer-big .footer-menu li a[href*="dribbble.com"]:before,.footer-big .footer-menu li a[href*="github.com"]:before,.footer-big .footer-menu li a[href*="youtube.com"]:before,.footer-big .footer-menu li a[href*="instagram.com"]:before,.footer-big .footer-menu li a[href*="reddit.com"]:before,.footer-big .footer-menu li a[href*="tumblr.com"]:before,.footer-big .footer-menu li a[href*="behance.com"]:before,.footer-big .footer-menu li a[href*="snapchat.com"]:before,.footer-big .footer-menu li a[href*="deviantart.com"]:before,.footer-big .footer-menu li a[href*="vimeo.com"]:before{font-family:"Font Awesome 5 Brands";font-weight:900;color:#3c4858;font-size:16px}.footer-black .footer-menu li a[href*="facebook.com"]:before,.footer-black .footer-menu li a[href*="twitter.com"]:before,.footer-black .footer-menu li a[href*="pinterest.com"]:before,.footer-black .footer-menu li a[href*="google.com"]:before,.footer-black .footer-menu li a[href*="linkedin.com"]:before,.footer-black .footer-menu li a[href*="dribbble.com"]:before,.footer-black .footer-menu li a[href*="github.com"]:before,.footer-black .footer-menu li a[href*="youtube.com"]:before,.footer-black .footer-menu li a[href*="instagram.com"]:before,.footer-black .footer-menu li a[href*="reddit.com"]:before,.footer-black .footer-menu li a[href*="tumblr.com"]:before,.footer-black .footer-menu li a[href*="behance.com"]:before,.footer-black .footer-menu li a[href*="snapchat.com"]:before,.footer-black .footer-menu li a[href*="deviantart.com"]:before,.footer-black .footer-menu li a[href*="vimeo.com"]:before{color:#fff}.footer-big .footer-menu li a[href*="facebook.com"]:before{content:""}.footer-big .footer-menu li a[href*="twitter.com"]:before{content:""}.footer-big .footer-menu li a[href*="pinterest.com"]:before{content:""}.footer-big .footer-menu li a[href*="google.com"]:before{content:""}.footer-big .footer-menu li a[href*="linkedin.com"]:before{content:""}.footer-big .footer-menu li a[href*="dribbble.com"]:before{content:""}.footer-big .footer-menu li a[href*="github.com"]:before{content:""}.footer-big .footer-menu li a[href*="youtube.com"]:before{content:""}.footer-big .footer-menu li a[href*="instagram.com"]:before{content:""}.footer-big .footer-menu li a[href*="reddit.com"]:before{content:""}.footer-big .footer-menu li a[href*="tumblr.com"]:before{content:""}.footer-big .footer-menu li a[href*="behance.com"]:before{content:""}.footer-big .footer-menu li a[href*="snapchat.com"]:before{content:""}.footer-big .footer-menu li a[href*="deviantart.com"]:before{content:""}.footer-big .footer-menu li a[href*="vimeo.com"]:before{content:""}
.hestia-top-bar,.hestia-top-bar .widget.widget_shopping_cart .cart_list{background-color:#363537}.hestia-top-bar .widget .label-floating input[type=search]:-webkit-autofill{-webkit-box-shadow:inset 0 0 0 9999px #363537}.hestia-top-bar,.hestia-top-bar .widget .label-floating input[type=search],.hestia-top-bar .widget.widget_search form.form-group:before,.hestia-top-bar .widget.widget_product_search form.form-group:before,.hestia-top-bar .widget.widget_shopping_cart:before{color:#fff}.hestia-top-bar .widget .label-floating input[type=search]{-webkit-text-fill-color:#fff !important}.hestia-top-bar div.widget.widget_shopping_cart:before,.hestia-top-bar .widget.widget_product_search form.form-group:before,.hestia-top-bar .widget.widget_search form.form-group:before{background-color:#fff}.hestia-top-bar a,.hestia-top-bar .top-bar-nav li a{color:#fff}.hestia-top-bar ul li a[href*="mailto:"]:before,.hestia-top-bar ul li a[href*="tel:"]:before{background-color:#fff}.hestia-top-bar a:hover,.hestia-top-bar .top-bar-nav li a:hover{color:#eee}.hestia-top-bar ul li:hover a[href*="mailto:"]:before,.hestia-top-bar ul li:hover a[href*="tel:"]:before{background-color:#eee}
a,.navbar .dropdown-menu li:hover>a,.navbar .dropdown-menu li:focus>a,.navbar .dropdown-menu li:active>a,.navbar .navbar-nav>li .dropdown-menu li:hover>a,body:not(.home) .navbar-default .navbar-nav>.active:not(.btn)>a,body:not(.home) .navbar-default .navbar-nav>.active:not(.btn)>a:hover,body:not(.home) .navbar-default .navbar-nav>.active:not(.btn)>a:focus,a:hover,.card-blog a.moretag:hover,.card-blog a.more-link:hover,.widget a:hover,.has-text-color.has-accent-color,p.has-text-color a{color:#3dd282}.svg-text-color{fill:#3dd282}.pagination span.current,.pagination span.current:focus,.pagination span.current:hover{border-color:#3dd282}button,button:hover,.woocommerce .track_order button[type="submit"],.woocommerce .track_order button[type="submit"]:hover,div.wpforms-container .wpforms-form button[type=submit].wpforms-submit,div.wpforms-container .wpforms-form button[type=submit].wpforms-submit:hover,input[type="button"],input[type="button"]:hover,input[type="submit"],input[type="submit"]:hover,input#searchsubmit,.pagination span.current,.pagination span.current:focus,.pagination span.current:hover,.btn.btn-primary,.btn.btn-primary:link,.btn.btn-primary:hover,.btn.btn-primary:focus,.btn.btn-primary:active,.btn.btn-primary.active,.btn.btn-primary.active:focus,.btn.btn-primary.active:hover,.btn.btn-primary:active:hover,.btn.btn-primary:active:focus,.btn.btn-primary:active:hover,.hestia-sidebar-open.btn.btn-rose,.hestia-sidebar-close.btn.btn-rose,.hestia-sidebar-open.btn.btn-rose:hover,.hestia-sidebar-close.btn.btn-rose:hover,.hestia-sidebar-open.btn.btn-rose:focus,.hestia-sidebar-close.btn.btn-rose:focus,.label.label-primary,.hestia-work .portfolio-item:nth-child(6n+1) .label,.nav-cart .nav-cart-content .widget .buttons .button,.has-accent-background-color[class*="has-background"]{background-color:#3dd282}@media(max-width:768px){.navbar-default .navbar-nav>li>a:hover,.navbar-default .navbar-nav>li>a:focus,.navbar .navbar-nav .dropdown .dropdown-menu li a:hover,.navbar .navbar-nav .dropdown .dropdown-menu li a:focus,.navbar button.navbar-toggle:hover,.navbar .navbar-nav li:hover>a i{color:#3dd282}}body:not(.woocommerce-page) button:not([class^="fl-"]):not(.hestia-scroll-to-top):not(.navbar-toggle):not(.close),body:not(.woocommerce-page) .button:not([class^="fl-"]):not(hestia-scroll-to-top):not(.navbar-toggle):not(.add_to_cart_button):not(.product_type_grouped):not(.product_type_external),div.wpforms-container .wpforms-form button[type=submit].wpforms-submit,input[type="submit"],input[type="button"],.btn.btn-primary,.widget_product_search button[type="submit"],.hestia-sidebar-open.btn.btn-rose,.hestia-sidebar-close.btn.btn-rose,.everest-forms button[type=submit].everest-forms-submit-button{-webkit-box-shadow:0 2px 2px 0 rgba(61,210,130,0.14),0 3px 1px -2px rgba(61,210,130,0.2),0 1px 5px 0 rgba(61,210,130,0.12);box-shadow:0 2px 2px 0 rgba(61,210,130,0.14),0 3px 1px -2px rgba(61,210,130,0.2),0 1px 5px 0 rgba(61,210,130,0.12)}.card .header-primary,.card .content-primary,.everest-forms button[type=submit].everest-forms-submit-button{background:#3dd282}body:not(.woocommerce-page) .button:not([class^="fl-"]):not(.hestia-scroll-to-top):not(.navbar-toggle):not(.add_to_cart_button):hover,body:not(.woocommerce-page) button:not([class^="fl-"]):not(.hestia-scroll-to-top):not(.navbar-toggle):not(.close):hover,div.wpforms-container .wpforms-form button[type=submit].wpforms-submit:hover,input[type="submit"]:hover,input[type="button"]:hover,input#searchsubmit:hover,.widget_product_search button[type="submit"]:hover,.pagination span.current,.btn.btn-primary:hover,.btn.btn-primary:focus,.btn.btn-primary:active,.btn.btn-primary.active,.btn.btn-primary:active:focus,.btn.btn-primary:active:hover,.hestia-sidebar-open.btn.btn-rose:hover,.hestia-sidebar-close.btn.btn-rose:hover,.pagination span.current:hover,.everest-forms button[type=submit].everest-forms-submit-button:hover,.everest-forms button[type=submit].everest-forms-submit-button:focus,.everest-forms button[type=submit].everest-forms-submit-button:active{-webkit-box-shadow:0 14px 26px -12px rgba(61,210,130,0.42),0 4px 23px 0 rgba(0,0,0,0.12),0 8px 10px -5px rgba(61,210,130,0.2);box-shadow:0 14px 26px -12px rgba(61,210,130,0.42),0 4px 23px 0 rgba(0,0,0,0.12),0 8px 10px -5px rgba(61,210,130,0.2);color:#fff}.form-group.is-focused .form-control{background-image:-webkit-gradient(linear,left top,left bottom,from(#3dd282),to(#3dd282)),-webkit-gradient(linear,left top,left bottom,from(#d2d2d2),to(#d2d2d2));background-image:-webkit-linear-gradient(linear,left top,left bottom,from(#3dd282),to(#3dd282)),-webkit-linear-gradient(linear,left top,left bottom,from(#d2d2d2),to(#d2d2d2));background-image:linear-gradient(linear,left top,left bottom,from(#3dd282),to(#3dd282)),linear-gradient(linear,left top,left bottom,from(#d2d2d2),to(#d2d2d2))}.navbar:not(.navbar-transparent) li:not(.btn):hover>a,.navbar li.on-section:not(.btn)>a,.navbar.full-screen-menu.navbar-transparent li:not(.btn):hover>a,.navbar.full-screen-menu .navbar-toggle:hover,.navbar:not(.navbar-transparent) .nav-cart:hover,.navbar:not(.navbar-transparent) .hestia-toggle-search:hover{color:#3dd282}.header-filter-gradient{background:linear-gradient(45deg,rgba(168,29,132,1) 0,rgb(234,57,111) 100%)}.has-text-color.has-header-gradient-color{color:#a81d84}.has-header-gradient-background-color[class*="has-background"]{background-color:#a81d84}.has-text-color.has-background-color-color{color:#fff}.has-background-color-background-color[class*="has-background"]{background-color:#fff}
.btn.btn-primary:not(.colored-button):not(.btn-left):not(.btn-right):not(.btn-just-icon):not(.menu-item),input[type="submit"]:not(.search-submit),body:not(.woocommerce-account) .woocommerce .button.woocommerce-Button,.woocommerce .product button.button,.woocommerce .product button.button.alt,.woocommerce .product #respond input#submit,.woocommerce-cart .blog-post .woocommerce .cart-collaterals .cart_totals .checkout-button,.woocommerce-checkout #payment #place_order,.woocommerce-account.woocommerce-page button.button,.woocommerce .track_order button[type="submit"],.nav-cart .nav-cart-content .widget .buttons .button,.woocommerce a.button.wc-backward,body.woocommerce .wccm-catalog-item a.button,body.woocommerce a.wccm-button.button,form.woocommerce-form-coupon button.button,div.wpforms-container .wpforms-form button[type=submit].wpforms-submit,div.woocommerce a.button.alt,div.woocommerce table.my_account_orders .button,.btn.colored-button,.btn.btn-left,.btn.btn-right,.btn:not(.colored-button):not(.btn-left):not(.btn-right):not(.btn-just-icon):not(.menu-item):not(.hestia-sidebar-open):not(.hestia-sidebar-close){padding-top:15px;padding-bottom:15px;padding-left:33px;padding-right:33px}
.btn.btn-primary:not(.colored-button):not(.btn-left):not(.btn-right):not(.btn-just-icon):not(.menu-item),input[type="submit"]:not(.search-submit),body:not(.woocommerce-account) .woocommerce .button.woocommerce-Button,.woocommerce .product button.button,.woocommerce .product button.button.alt,.woocommerce .product #respond input#submit,.woocommerce-cart .blog-post .woocommerce .cart-collaterals .cart_totals .checkout-button,.woocommerce-checkout #payment #place_order,.woocommerce-account.woocommerce-page button.button,.woocommerce .track_order button[type="submit"],.nav-cart .nav-cart-content .widget .buttons .button,.woocommerce a.button.wc-backward,body.woocommerce .wccm-catalog-item a.button,body.woocommerce a.wccm-button.button,form.woocommerce-form-coupon button.button,div.wpforms-container .wpforms-form button[type=submit].wpforms-submit,div.woocommerce a.button.alt,div.woocommerce table.my_account_orders .button,input[type="submit"].search-submit,.hestia-view-cart-wrapper .added_to_cart.wc-forward,.woocommerce-product-search button,.woocommerce-cart .actions .button,#secondary div[id^=woocommerce_price_filter] .button,.woocommerce div[id^=woocommerce_widget_cart].widget .buttons .button,.searchform input[type=submit],.searchform button,.search-form:not(.media-toolbar-primary) input[type=submit],.search-form:not(.media-toolbar-primary) button,.woocommerce-product-search input[type=submit],.btn.colored-button,.btn.btn-left,.btn.btn-right,.btn:not(.colored-button):not(.btn-left):not(.btn-right):not(.btn-just-icon):not(.menu-item):not(.hestia-sidebar-open):not(.hestia-sidebar-close){border-radius:36px}
h1,h2,h3,h4,h5,h6,.hestia-title,.hestia-title.title-in-content,p.meta-in-content,.info-title,.card-title,.page-header.header-small .hestia-title,.page-header.header-small .title,.widget h5,.hestia-title,.title,.footer-brand,.footer-big h4,.footer-big h5,.media .media-heading,.carousel h1.hestia-title,.carousel h2.title,.carousel span.sub-title,.hestia-about h1,.hestia-about h2,.hestia-about h3,.hestia-about h4,.hestia-about h5{font-family:Courier,monospace}
@media(min-width:769px){.page-header.header-small .hestia-title,.page-header.header-small .title,h1.hestia-title.title-in-content,.main article.section .has-title-font-size{font-size:42px}}
</style>
<link rel='stylesheet' id='hestia_fonts-css' href='https://fonts.googleapis.com/css?family=Roboto%3A300%2C400%2C500%2C700%7CRoboto+Slab%3A400%2C700&#038;subset=latin%2Clatin-ext&#038;ver=3.0.29' type='text/css' media='all' />
<link rel='stylesheet' id='elementor-icons-css' href='https://themittenmac.com/wp-content/plugins/elementor/assets/lib/eicons/css/elementor-icons.min.css?ver=5.18.0' type='text/css' media='all' />
<link rel='stylesheet' id='elementor-frontend-legacy-css' href='https://themittenmac.com/wp-content/plugins/elementor/assets/css/frontend-legacy.min.css?ver=3.11.5' type='text/css' media='all' />
<link rel='stylesheet' id='elementor-frontend-css' href='https://themittenmac.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.11.5' type='text/css' media='all' />
<link rel='stylesheet' id='swiper-css' href='https://themittenmac.com/wp-content/plugins/elementor/assets/lib/swiper/css/swiper.min.css?ver=5.3.6' type='text/css' media='all' />
<link rel='stylesheet' id='elementor-post-376-css' href='https://themittenmac.com/wp-content/uploads/elementor/css/post-376.css?ver=1630350072' type='text/css' media='all' />
<link rel='stylesheet' id='elementor-global-css' href='https://themittenmac.com/wp-content/uploads/elementor/css/global.css?ver=1630350072' type='text/css' media='all' />
<link rel='stylesheet' id='elementor-post-241-css' href='https://themittenmac.com/wp-content/uploads/elementor/css/post-241.css?ver=1630350127' type='text/css' media='all' />
<link rel='stylesheet' id='google-fonts-1-css' href='https://fonts.googleapis.com/css?family=Amatic+SC%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic%7CRoboto+Slab%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic%7CChenla%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic%7CRoboto%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic%2C400%2C400italic%2C500%2C500italic%2C600%2C600italic%2C700%2C700italic%2C800%2C800italic%2C900%2C900italic&#038;display=auto&#038;ver=6.1.1' type='text/css' media='all' />
<link rel='stylesheet' id='elementor-icons-shared-0-css' href='https://themittenmac.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.css?ver=5.15.3' type='text/css' media='all' />
<link rel='stylesheet' id='elementor-icons-fa-solid-css' href='https://themittenmac.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/solid.min.css?ver=5.15.3' type='text/css' media='all' />
<link rel='stylesheet' id='jetpack_css-css' href='https://themittenmac.com/wp-content/plugins/jetpack/css/jetpack.css?ver=11.9.1' type='text/css' media='all' />
<link rel="preconnect" href="https://fonts.gstatic.com/" crossorigin><script type='text/javascript' src='https://themittenmac.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.1' id='jquery-core-js'></script>
<script type='text/javascript' src='https://themittenmac.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2' id='jquery-migrate-js'></script>
<link rel="https://api.w.org/" href="https://themittenmac.com/wp-json/" /><link rel="alternate" type="application/json" href="https://themittenmac.com/wp-json/wp/v2/posts/241" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://themittenmac.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://themittenmac.com/wp-includes/wlwmanifest.xml" />
<meta name="generator" content="WordPress 6.1.1" />
<link rel="canonical" href="https://themittenmac.com/tinyshell-under-the-microscope/" />
<link rel='shortlink' href='https://wp.me/pbtvdW-3T' />
<link rel="alternate" type="application/json+oembed" href="https://themittenmac.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fthemittenmac.com%2Ftinyshell-under-the-microscope%2F" />
<link rel="alternate" type="text/xml+oembed" href="https://themittenmac.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fthemittenmac.com%2Ftinyshell-under-the-microscope%2F&#038;format=xml" />
<!-- Enter your scripts here -->	<style>img#wpstats{display:none}</style>
		<meta name="generator" content="Elementor 3.11.5; settings: css_print_method-external, google_font-enabled, font_display-auto">
<style type="text/css" id="custom-background-css">
body.custom-background { background-color: #ffffff; }
</style>
	
<!-- Jetpack Open Graph Tags -->
<meta property="og:type" content="article" />
<meta property="og:title" content="Tinyshell Under the Microscope" />
<meta property="og:url" content="https://themittenmac.com/tinyshell-under-the-microscope/" />
<meta property="og:description" content="Back in 2018 I presented a talk titled “Macdoored” at a handful of small conferences. This talk was about various APT attacks I’d seen targeting Macs. In the talk I take a minute to mention the bac…" />
<meta property="article:published_time" content="2019-04-20T20:00:00+00:00" />
<meta property="article:modified_time" content="2020-04-20T16:39:37+00:00" />
<meta property="og:site_name" content="The Mitten Mac" />
<meta property="og:image" content="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode_args.png?fit=642%2C443&#038;ssl=1" />
<meta property="og:image:width" content="642" />
<meta property="og:image:height" content="443" />
<meta property="og:image:alt" content="" />
<meta property="og:locale" content="en_US" />

<!-- End Jetpack Open Graph Tags -->
<link rel="icon" href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2022/08/cropped-Screen-Shot-2022-08-19-at-11.45.39-PM.png?fit=32%2C32&#038;ssl=1" sizes="32x32" />
<link rel="icon" href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2022/08/cropped-Screen-Shot-2022-08-19-at-11.45.39-PM.png?fit=192%2C192&#038;ssl=1" sizes="192x192" />
<link rel="apple-touch-icon" href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2022/08/cropped-Screen-Shot-2022-08-19-at-11.45.39-PM.png?fit=180%2C180&#038;ssl=1" />
<meta name="msapplication-TileImage" content="https://i0.wp.com/themittenmac.com/wp-content/uploads/2022/08/cropped-Screen-Shot-2022-08-19-at-11.45.39-PM.png?fit=270%2C270&#038;ssl=1" />
<style type="text/css" id="wp-custom-css">/* make the entire background of the site alienblood gray*/
.main {
  background-color: #3e3e3e;
}

.navbar {
	background-color: #323437;
	color: #3dd282;
	font-family: Orbitron
}

#post-48 {
	color: white;
}

.title-in-content {
	color: #3dd282;
	font-family: Inconsolata
}

.elementor.elementor-188 {
	background-color: #3e3e3e;
}

card-title.entry-title {
  color: red;
}

/* Hide tinyshell publish date */
div.col-md-12, div.posted-by.vcard.author{
	display: None
}

/* Hide category tags above blog headers on blog home */
h6.category.text-info {
	display: none
}

/* set blog header colors on blog home page */
a:link, a:visited {
  color: #3dd282;
  cursor: auto;
}

/* Insanely long line to make the blog post items stay green on mouse hover*/
.hestia-title, .hestia-title a, .hestia-title a:hover, .title, .title a, .title a:hover, .card-title, .card-title a, .card-title a:hover, .info-title, .info-title a, .info-title a:hover, .footer-brand, .footer-brand a, .footer-brand a:hover, .footer-big h4, .footer-big h4 a, .footer-big h4 a:hover, .footer-big h5, .footer-big h5 a, .footer-big h5 a:hover, .media .media-heading, .media .media-heading a, .media .media-heading a:hover, .woocommerce ul.products[class*="columns-"] li.product-category h2, .woocommerce ul.products[class*="columns-"] li.product-category h2 a, .woocommerce ul.products[class*="columns-"] li.product-category h2 a:hover {
    color: #3dd282
}

/* make text white in the blog previews on blog homepage */
div.card-description.entry-summary{
	color:white;
}

/* make the "Read more" item green */
.card-blog a.moretag {
	color: #3dd282
}

.hestia-blogs article .card-image img {
    display: none;
}</style></head>

<body class="post-template-default single single-post postid-241 single-format-standard custom-background blog-post header-layout-classic-blog elementor-default elementor-kit-376 elementor-page elementor-page-241">
	<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-dark-grayscale"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 0.49803921568627" /><feFuncG type="table" tableValues="0 0.49803921568627" /><feFuncB type="table" tableValues="0 0.49803921568627" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-grayscale"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 1" /><feFuncG type="table" tableValues="0 1" /><feFuncB type="table" tableValues="0 1" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-purple-yellow"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.54901960784314 0.98823529411765" /><feFuncG type="table" tableValues="0 1" /><feFuncB type="table" tableValues="0.71764705882353 0.25490196078431" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-blue-red"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 1" /><feFuncG type="table" tableValues="0 0.27843137254902" /><feFuncB type="table" tableValues="0.5921568627451 0.27843137254902" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-midnight"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0 0" /><feFuncG type="table" tableValues="0 0.64705882352941" /><feFuncB type="table" tableValues="0 1" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-magenta-yellow"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.78039215686275 1" /><feFuncG type="table" tableValues="0 0.94901960784314" /><feFuncB type="table" tableValues="0.35294117647059 0.47058823529412" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-purple-green"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.65098039215686 0.40392156862745" /><feFuncG type="table" tableValues="0 1" /><feFuncB type="table" tableValues="0.44705882352941 0.4" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 0 0" width="0" height="0" focusable="false" role="none" style="visibility: hidden; position: absolute; left: -9999px; overflow: hidden;" ><defs><filter id="wp-duotone-blue-orange"><feColorMatrix color-interpolation-filters="sRGB" type="matrix" values=" .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 .299 .587 .114 0 0 " /><feComponentTransfer color-interpolation-filters="sRGB" ><feFuncR type="table" tableValues="0.098039215686275 1" /><feFuncG type="table" tableValues="0 0.66274509803922" /><feFuncB type="table" tableValues="0.84705882352941 0.41960784313725" /><feFuncA type="table" tableValues="1 1" /></feComponentTransfer><feComposite in2="SourceGraphic" operator="in" /></filter></defs></svg>	<div class="wrapper post-241 post type-post status-publish format-standard has-post-thumbnail hentry category-malware tag-malware tag-reversing classic-blog ">
		<header class="header ">
			<div style="display: none"></div>		<nav class="navbar navbar-default navbar-fixed-top  hestia_left navbar-not-transparent">
						<div class="container">
						<div class="navbar-header">
			<div class="title-logo-wrapper">
				<a class="navbar-brand" href="https://themittenmac.com/"
						title="The Mitten Mac">
					<p>The Mitten Mac</p></a>
			</div>
								<div class="navbar-toggle-wrapper">
						<button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#main-navigation">
				<span class="icon-bar"></span>
				<span class="icon-bar"></span>
				<span class="icon-bar"></span>
				<span class="sr-only">Toggle Navigation</span>
			</button>
					</div>
				</div>
		<div id="main-navigation" class="collapse navbar-collapse"><ul id="menu-up-top" class="nav navbar-nav"><li id="menu-item-1554" class="menu-item menu-item-type-post_type menu-item-object-page current_page_parent menu-item-1554"><a title="Blog" href="https://themittenmac.com/blog/">Blog</a></li>
<li id="menu-item-1550" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1550"><a title="Training" href="https://themittenmac.com/elementor-1520/">Training</a></li>
<li id="menu-item-1551" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1551"><a title="Tools" href="https://themittenmac.com/tools/">Tools</a></li>
<li id="menu-item-1552" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1552"><a title="Book" href="https://themittenmac.com/book/">Book</a></li>
<li id="menu-item-1553" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1553"><a title="GitHub" href="https://themittenmac.com/github/">GitHub</a></li>
</ul></div>			</div>
					</nav>
				</header>

<div class="main ">
	<div class="blog-post blog-post-wrapper">
		<div class="container">
			<article id="post-241" class="section section-text">
	<div class="row">
				<div class="col-md-8 single-post-container col-md-offset-2" data-layout="sidebar-right">

			<div class="single-post-wrap entry-content">	<div class="row"><div class="col-md-12"><h1 class="hestia-title title-in-content entry-title">Tinyshell Under the Microscope</h1><p class="author meta-in-content">Published by <a href="https://themittenmac.com/author/jaron-bradley/" class="vcard author"><strong class="fn">jaron.bradley</strong></a> on <time class="entry-date published" datetime="2019-04-20T20:00:00+00:00" content="2019-04-20">April 20, 2019</time><time class="updated hestia-hidden" datetime="2020-04-20T16:39:37+00:00">April 20, 2019</time></p><img class="wp-post-image image-in-page" src="https://themittenmac.com/wp-content/uploads/2019/12/mydecode_args.png" alt=""></div></div>		<div data-elementor-type="wp-page" data-elementor-id="241" class="elementor elementor-241">
						<div class="elementor-inner">
				<div class="elementor-section-wrap">
									<section class="elementor-section elementor-top-section elementor-element elementor-element-6ba58f54 elementor-section-stretched elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="6ba58f54" data-element_type="section" data-settings="{&quot;stretch_section&quot;:&quot;section-stretched&quot;}">
						<div class="elementor-container elementor-column-gap-default">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-6f3159" data-id="6f3159" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-0368305 elementor-widget elementor-widget-heading" data-id="0368305" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Tinyshell Under the Microscope</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-3d04c12 elementor-widget elementor-widget-text-editor" data-id="3d04c12" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">Back in 2018 I presented a talk titled “<a href="https://www.youtube.com/watch?v=ObiSt_RYOOM&amp;t=264s">Macdoored</a>” at a handful of small conferences. This talk was about various APT attacks I’d seen targeting Macs. In the talk I take a minute to mention the backdoor that the attackers were using which was a modified version of Tinyshell. Tinyshell is an open source tool that operates like a shady version of SSH. It’s been a while since I’ve encountered a new sample, but I fully believe attackers are still out there using it. If you watched the Macdoored </span><span style="font-weight: 400;">talk then you’ve seen what attackers are doing “post mortem” with this tool. However, no technical details have been discussed about the malware itself. This could be because in reality it’s changed minimally from its </span><a href="https://github.com/creaktive/tsh"><span style="font-weight: 400;">open source form</span></a><span style="font-weight: 400;">, but these modifications do allow us to detect its uniqueness in a handful of ways. Since this malware has been modified by malicious actors, calling it Tinyshell doesn’t seem accurate. So I will refer to this specific modified version as TinyTim (as I started trying to write this blog post around the holidays and dragged the release out until now).</span></p><p><span style="font-weight: 400;">The sample used in this blog post can be found </span><a href="https://www.virustotal.com/gui/file/8029e7b12742d67fe13fcd53953e6b03ca4fa09b1d5755f8f8289eac08366efc/detection"><span style="font-weight: 400;">here</span></a><span style="font-weight: 400;"> on VirusTotal.</span></p><p><span style="font-weight: 400;">SHA256: 8029e7b12742d67fe13fcd53953e6b03ca4fa09b1d5755f8f8289eac08366efc</span></p><p><span style="font-weight: 400;">On the VirusTotal page you’ll notice that a lot of AV scanners mark this as Keydnap. I myself would like to know how this link was made as I do not see the commonalities.</span></p><p><span style="font-weight: 400;">Finally, before we get started here, I’d like to give a huge shoutout to Patrick Wardle at </span><a href="http://www.objective-see.com/"><span style="font-weight: 400;">Objective-See</span></a><span style="font-weight: 400;"> for his guidance on Hopper diassembler. If you haven’t checked out his website with tons of free Mac security tools, go now!</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-d02383e elementor-widget elementor-widget-text-editor" data-id="d02383e" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
									</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-bd64ad8 elementor-widget-divider--view-line elementor-widget elementor-widget-divider" data-id="bd64ad8" data-element_type="widget" data-widget_type="divider.default">
				<div class="elementor-widget-container">
					<div class="elementor-divider">
			<span class="elementor-divider-separator">
						</span>
		</div>
				</div>
				</div>
				<div class="elementor-element elementor-element-921e403 elementor-widget elementor-widget-heading" data-id="921e403" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Initial Impressions</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-43d6621 elementor-widget elementor-widget-text-editor" data-id="43d6621" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">First observations show that this malware is signed by a developer. It’s unknown if this was a legitimate stolen signing certificate or if it was created and owned by the attacker. This is interesting because malware is generally only signed for the purpose of defeating Gatekeeper. As I mentioned in my Macdoored talk, this malware was dropped on the victim systems over SSH using compromised credentials. Perhaps the attacker used a signed binary on purpose in the interest of blending in should the binary be discovered.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-cbb5a38 elementor-widget elementor-widget-image" data-id="cbb5a38" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
												<img decoding="async" width="665" height="312" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/codesign_tinytim.png?fit=665%2C312&amp;ssl=1" class="attachment-large size-large wp-image-362" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/codesign_tinytim.png?w=665&amp;ssl=1 665w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/codesign_tinytim.png?resize=300%2C141&amp;ssl=1 300w" sizes="(max-width: 665px) 100vw, 665px" />														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-4d1c215 elementor-widget elementor-widget-text-editor" data-id="4d1c215" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">One of the main changes made from the Tinyshell source is the addition of a function called “MyDecode().” This function allows the attacker to encode some of the exposed strings inside of the binary. We will have to open it in a disassembler such as Hopper if we want to get a better idea of what’s going on here.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-239948e elementor-widget elementor-widget-image" data-id="239948e" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/debug_and_getuid.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="debug_and_getuid" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjQ5LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL2RlYnVnX2FuZF9nZXR1aWQucG5nIn0%3D">
							<img decoding="async" width="750" height="431" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/debug_and_getuid.png?fit=750%2C431&amp;ssl=1" class="attachment-large size-large wp-image-249" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/debug_and_getuid.png?w=2008&amp;ssl=1 2008w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/debug_and_getuid.png?resize=300%2C172&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/debug_and_getuid.png?resize=1024%2C588&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/debug_and_getuid.png?resize=768%2C441&amp;ssl=1 768w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/debug_and_getuid.png?resize=1536%2C883&amp;ssl=1 1536w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-762a479 elementor-widget elementor-widget-text-editor" data-id="762a479" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">Inside the main function, the very first check shows that TinyTim has some basic anti-debugging added to it. Right at the start we see </span><a href="https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/ptrace.2.html"><span style="font-weight: 400;">ptrace</span></a><span style="font-weight: 400;"> used with the ptrace_deny_attach argument which will immediately close the program if it’s executed while attached to a debugger. We will have to keep this in mind. </span></p><p><span style="font-weight: 400;">After checking for the presence of a debugger, it then goes on to run getuid() which returns the user id of the user who executed the program. In this case, the malware is checking for a UID of 0 which belongs to the root user. In both cases, the MyDecode function ends up getting run on what looks like a garbled string. If we select  _MyDecode in the labels on the left and press ‘x’ we get a nice shot of all the places where this function is referenced.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-02d03b4 elementor-widget elementor-widget-image" data-id="02d03b4" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecode_calls.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="myDecode_calls" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjY5LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL215RGVjb2RlX2NhbGxzLnBuZyJ9">
							<img decoding="async" width="750" height="424" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecode_calls.png?fit=750%2C424&amp;ssl=1" class="attachment-large size-large wp-image-269" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecode_calls.png?w=1534&amp;ssl=1 1534w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecode_calls.png?resize=300%2C170&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecode_calls.png?resize=1024%2C579&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecode_calls.png?resize=768%2C435&amp;ssl=1 768w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-e8a0f41 elementor-widget elementor-widget-text-editor" data-id="e8a0f41" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: normal;">Eleven calls from main and two from tshd_runshell. Clearly this malware relies on this function frequently. If we switch the Hopper view to pseudocode we see that this function is actually quite basic.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-48766a8 elementor-widget elementor-widget-image" data-id="48766a8" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="mydecode" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjUxLCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL215ZGVjb2RlLnBuZyJ9">
							<img decoding="async" width="750" height="290" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode.png?fit=750%2C290&amp;ssl=1" class="attachment-large size-large wp-image-251" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode.png?w=1962&amp;ssl=1 1962w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode.png?resize=300%2C116&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode.png?resize=1024%2C396&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode.png?resize=768%2C297&amp;ssl=1 768w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode.png?resize=1536%2C593&amp;ssl=1 1536w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-a71955e elementor-widget elementor-widget-text-editor" data-id="a71955e" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: normal;">The key item to focus in on here is r14 ^ r15. This is the simple xor’ing of two bytes which is common with malware. We see that the values of r14 and r15 are that of the second and third arguments passed to the function. The first argument being passed in here is the string that the attacker wants to unmask. If we go back to the main code we can take a look at what values the attacker passes in when he calls MyDecode.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-6b3619e elementor-widget elementor-widget-image" data-id="6b3619e" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
												<img decoding="async" width="642" height="443" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode_args.png?fit=642%2C443&amp;ssl=1" class="attachment-large size-large wp-image-634" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode_args.png?w=642&amp;ssl=1 642w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode_args.png?resize=300%2C207&amp;ssl=1 300w" sizes="(max-width: 642px) 100vw, 642px" />														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-449c334 elementor-widget elementor-widget-text-editor" data-id="449c334" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: normal;">In the first handful of calls, we see that MyDecode decodes each string using the XOR scheme 0x4 ^ 0x2. We have a few options to convert these strings back to readable text. We can either debug the program, or write a simple script to decode the strings for us. Alternatively, we can do both! Let&#8217;s start by debugging. </span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-4050a07 elementor-widget-divider--view-line elementor-widget elementor-widget-divider" data-id="4050a07" data-element_type="widget" data-widget_type="divider.default">
				<div class="elementor-widget-container">
					<div class="elementor-divider">
			<span class="elementor-divider-separator">
						</span>
		</div>
				</div>
				</div>
				<div class="elementor-element elementor-element-fcadff5 elementor-widget elementor-widget-heading" data-id="fcadff5" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Prepping For Debugging</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-bf3d9be elementor-widget elementor-widget-text-editor" data-id="bf3d9be" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">Before we begin, we have to prep this executable by taking the following steps so that it will run…</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-d84bae0 elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list" data-id="d84bae0" data-element_type="widget" data-widget_type="icon-list.default">
				<div class="elementor-widget-container">
					<ul class="elementor-icon-list-items">
							<li class="elementor-icon-list-item">
											<span class="elementor-icon-list-icon">
							<i aria-hidden="true" class="fas fa-check"></i>						</span>
										<span class="elementor-icon-list-text">Give TinyTim executable permissions with chmod +x</span>
									</li>
								<li class="elementor-icon-list-item">
											<span class="elementor-icon-list-icon">
							<i aria-hidden="true" class="fas fa-check"></i>						</span>
										<span class="elementor-icon-list-text">Remove the revoked signature with codesign --remove-signature</span>
									</li>
								<li class="elementor-icon-list-item">
											<span class="elementor-icon-list-icon">
							<i aria-hidden="true" class="fas fa-check"></i>						</span>
										<span class="elementor-icon-list-text"><span style="color: rgb(255, 255, 255); font-family: Chenla, sans-serif; font-size: 17px; white-space: normal;">Remove the quarantine bit with xattr -d com.apple.quarantine (assuming this malware was downloaded)</span></span>
									</li>
								<li class="elementor-icon-list-item">
											<span class="elementor-icon-list-icon">
							<i aria-hidden="true" class="fas fa-check"></i>						</span>
										<span class="elementor-icon-list-text">Remove the ptrace() call discussed previously which is an anti-debugging technique that will close this program if the presence of a debugger is detected. We can do this by placing a breakpoint on the ptrace call and then stepping over it or we can simply NOP it so we don't have to worry about an extra breakpoint every time we run it.</span>
									</li>
						</ul>
				</div>
				</div>
				<div class="elementor-element elementor-element-4d67011 elementor-widget elementor-widget-image" data-id="4d67011" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_modify.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="ptrace_modify" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjU2LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL3B0cmFjZV9tb2RpZnkucG5nIn0%3D">
							<img decoding="async" width="750" height="313" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_modify.png?fit=750%2C313&amp;ssl=1" class="attachment-large size-large wp-image-256" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_modify.png?w=2690&amp;ssl=1 2690w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_modify.png?resize=300%2C125&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_modify.png?resize=1024%2C428&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_modify.png?resize=768%2C321&amp;ssl=1 768w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_modify.png?resize=1536%2C642&amp;ssl=1 1536w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_modify.png?resize=2048%2C856&amp;ssl=1 2048w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_modify.png?w=2250&amp;ssl=1 2250w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-dc43061 elementor-widget elementor-widget-image" data-id="dc43061" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_nop.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="ptrace_nop" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjU4LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL3B0cmFjZV9ub3AucG5nIn0%3D">
							<img decoding="async" width="750" height="579" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_nop.png?fit=750%2C579&amp;ssl=1" class="attachment-large size-large wp-image-258" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_nop.png?w=1482&amp;ssl=1 1482w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_nop.png?resize=300%2C232&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_nop.png?resize=1024%2C790&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/ptrace_nop.png?resize=768%2C593&amp;ssl=1 768w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-a85ba0a elementor-widget-divider--view-line elementor-widget elementor-widget-divider" data-id="a85ba0a" data-element_type="widget" data-widget_type="divider.default">
				<div class="elementor-widget-container">
					<div class="elementor-divider">
			<span class="elementor-divider-separator">
						</span>
		</div>
				</div>
				</div>
				<div class="elementor-element elementor-element-e520012 elementor-widget elementor-widget-heading" data-id="e520012" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Debugging</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-48cd840 elementor-widget elementor-widget-text-editor" data-id="48cd840" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">Now that we’ve gotten all the setup out of the way we can open TinyTim in our debugger and start playing with the MyDecode() function. Let’s put a breakpoint on the return at the end of the function and kick off the debugger.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-30c7af3 elementor-widget elementor-widget-image" data-id="30c7af3" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecode_breakpoint.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="myDecode_breakpoint" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjY3LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL215RGVjb2RlX2JyZWFrcG9pbnQucG5nIn0%3D">
							<img decoding="async" width="1536" height="748" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecode_breakpoint.png?fit=1536%2C748&amp;ssl=1" class="attachment-1536x1536 size-1536x1536 wp-image-267" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecode_breakpoint.png?w=1906&amp;ssl=1 1906w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecode_breakpoint.png?resize=300%2C146&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecode_breakpoint.png?resize=1024%2C499&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecode_breakpoint.png?resize=768%2C374&amp;ssl=1 768w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecode_breakpoint.png?resize=1536%2C748&amp;ssl=1 1536w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-708bb11 elementor-widget elementor-widget-text-editor" data-id="708bb11" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">When the breakpoint is hit within the debugger it means the MyDecode function just finished running. If we print the RDX register using the x/s $rdx command we can see the string that was decoded.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-ecdae2a elementor-widget elementor-widget-image" data-id="ecdae2a" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/print_config_location.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="print_config_location" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjc0LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL3ByaW50X2NvbmZpZ19sb2NhdGlvbi5wbmcifQ%3D%3D">
							<img decoding="async" width="750" height="490" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/print_config_location.png?fit=750%2C490&amp;ssl=1" class="attachment-large size-large wp-image-274" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/print_config_location.png?w=1586&amp;ssl=1 1586w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/print_config_location.png?resize=300%2C196&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/print_config_location.png?resize=1024%2C669&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/print_config_location.png?resize=768%2C502&amp;ssl=1 768w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/print_config_location.png?resize=1536%2C1003&amp;ssl=1 1536w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-2fef742 elementor-widget elementor-widget-text-editor" data-id="2fef742" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">In this case, we see that the decoded string is &#8220;/Users/%@/Library/Fonts/.cache&#8221;. Keep in mind we are running this as a basic user and from what we saw in main, a different path would be used if it was run as root (see the if/else statement in the first screenshot). We can continue to “skip to next breakpoint” and print each string. The result is not surprising.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-84f1106 elementor-widget elementor-widget-text-editor" data-id="84f1106" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p class="p2">0x10000c260: &#8220;/Users/%@/Library/Fonts/.cache&#8221;<br />0x7ffeefbffa40: &#8220;PROG_INFO&#8221;<br />0x7ffeefbffa50: &#8220;name_masq&#8221;<br />0x7ffeefbffa60: &#8220;CONN_INFO&#8221;<br />0x7ffeefbffb28: &#8220;domain&#8221;<br />0x7ffeefbffa70: &#8220;&#8221;<br />0x7ffeefbffa70: &#8220;next_time&#8221;</p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-7776c1f elementor-widget elementor-widget-text-editor" data-id="7776c1f" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">Most security analysts will recognize the above strings as backdoor configuration options. Presumably, these options will have been read from the “/Users/%@/Library/Fonts/.cache” file. However, none of these configurations were successfully read as we have not created a config file at the specified location. Also notice that one of the decoded strings was empty. That’s somewhat strange, but we will revisit that later. Let’s hack together some quick python code that can unmask these strings as well because that never hurts. No rocket science here, we’ll just step over each character in a supplied string and run the XOR scheme on it to get the decoded character.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-93358d1 elementor-widget elementor-widget-image" data-id="93358d1" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecodePython.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="myDecodePython" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzIxLCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL215RGVjb2RlUHl0aG9uLnBuZyJ9">
							<img decoding="async" width="282" height="205" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/myDecodePython.png?fit=282%2C205&amp;ssl=1" class="attachment-large size-large wp-image-321" alt="" loading="lazy" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-d02accd elementor-widget elementor-widget-text-editor" data-id="d02accd" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">And now we can easily decode without the use of the debugger.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-d2853c2 elementor-widget elementor-widget-image" data-id="d2853c2" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode_running.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="mydecode_running" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzIyLCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL215ZGVjb2RlX3J1bm5pbmcucG5nIn0%3D">
							<img decoding="async" width="640" height="148" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode_running.png?fit=640%2C148&amp;ssl=1" class="attachment-large size-large wp-image-322" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode_running.png?w=640&amp;ssl=1 640w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/mydecode_running.png?resize=300%2C69&amp;ssl=1 300w" sizes="(max-width: 640px) 100vw, 640px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-a7a8193 elementor-widget elementor-widget-text-editor" data-id="a7a8193" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">Awesome! We’re now able to take various strings stored in the executable and view them in plain text. Moving on, we can try to create a config file to see what happens, but we don’t know the format of said config file. Let’s see if we can figure that out.</span></p><p><span style="font-weight: 400;">The key to discovering the config format actually lies within the getProfileString() function. This function makes the only references to the fopen(), fgets(), fseek(), and fclose() functions. These are functions commonly used for opening, closing, and moving about the different contents of a file. </span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-4f81ee8 elementor-widget elementor-widget-image" data-id="4f81ee8" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_file_parse_functions.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="config_file_parse_functions" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6Mjg3LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL2NvbmZpZ19maWxlX3BhcnNlX2Z1bmN0aW9ucy5wbmcifQ%3D%3D">
							<img decoding="async" width="626" height="449" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_file_parse_functions.png?fit=626%2C449&amp;ssl=1" class="attachment-large size-large wp-image-287" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_file_parse_functions.png?w=626&amp;ssl=1 626w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_file_parse_functions.png?resize=300%2C215&amp;ssl=1 300w" sizes="(max-width: 626px) 100vw, 626px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-6bdb35e elementor-widget elementor-widget-text-editor" data-id="6bdb35e" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: normal;">As we can see fopen opens the file specified as arg0 which in our case is the config file for the malware. It then begins parsing it.&nbsp; At the bottom of the file we see sscanf() is being used with some specific formatting.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-1f3b5e4 elementor-widget elementor-widget-image" data-id="1f3b5e4" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/sscanf.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="sscanf" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MjkyLCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL3NzY2FuZi5wbmcifQ%3D%3D">
							<img decoding="async" width="359" height="342" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/sscanf.png?fit=359%2C342&amp;ssl=1" class="attachment-large size-large wp-image-292" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/sscanf.png?w=359&amp;ssl=1 359w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/sscanf.png?resize=300%2C286&amp;ssl=1 300w" sizes="(max-width: 359px) 100vw, 359px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-e5c2db8 elementor-widget elementor-widget-text-editor" data-id="e5c2db8" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">You can either Google the sscanf function to try to figure out what’s going on here (if you’re not familiar with it) OR you can do what we should have already done and just Google the GetProfileString() function which reveals exactly what we’re looking for…</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-7c0662d elementor-widget elementor-widget-image" data-id="7c0662d" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/google_result.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="google_result" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzAwLCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL2dvb2dsZV9yZXN1bHQucG5nIn0%3D">
							<img decoding="async" width="660" height="237" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/google_result.png?fit=660%2C237&amp;ssl=1" class="attachment-large size-large wp-image-300" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/google_result.png?w=660&amp;ssl=1 660w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/google_result.png?resize=300%2C108&amp;ssl=1 300w" sizes="(max-width: 660px) 100vw, 660px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-2c84d25 elementor-widget elementor-widget-image" data-id="2c84d25" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/google_getProfileString.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="google_getProfileString" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzAxLCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL2dvb2dsZV9nZXRQcm9maWxlU3RyaW5nLnBuZyJ9">
							<img decoding="async" width="750" height="337" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/google_getProfileString.png?fit=750%2C337&amp;ssl=1" class="attachment-large size-large wp-image-301" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/google_getProfileString.png?w=1061&amp;ssl=1 1061w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/google_getProfileString.png?resize=300%2C135&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/google_getProfileString.png?resize=1024%2C460&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/google_getProfileString.png?resize=768%2C345&amp;ssl=1 768w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-90363cf elementor-widget elementor-widget-text-editor" data-id="90363cf" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">So here we have a function that is some type of port from Windows allowing users to read an ini formatted config file. This makes sense if you think about the values we saw earlier resulting from the myDecode() function. This means the items in all caps were lpAppName values and the lowercase items were the lpKeyName values. This of course feels a little unnatural on Mac since this is part of the Windows .ini format, but in reality it’s nothing more than a text file and is that really a format? (We ask deep questions here at The Mitten Mac). This means our config file should look something like the following…</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-941d475 elementor-widget elementor-widget-image" data-id="941d475" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_localhost.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="config_localhost" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzE2LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL2NvbmZpZ19sb2NhbGhvc3QucG5nIn0%3D">
							<img decoding="async" width="710" height="229" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_localhost.png?fit=710%2C229&amp;ssl=1" class="attachment-large size-large wp-image-316" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_localhost.png?w=710&amp;ssl=1 710w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_localhost.png?resize=300%2C97&amp;ssl=1 300w" sizes="(max-width: 710px) 100vw, 710px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-a40ae17 elementor-widget elementor-widget-text-editor" data-id="a40ae17" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: normal;">The values used here are of course made up for my own testing, but this formatting should do the trick. An easy way to confirm is to place a breakpoint on the strcpy() function near the bottom of getProfileString() because presumably this function is used to save the strings pulled out of the config file. Once the breakpoint is hit we can print the $RDI register using &#8220;x/s $RDI&#8221; (RDI should almost always hold arg0 when functions are called) to display the first argument being passed to the strcpy function before continuing to the next breakpoint and repeating.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-2592c13 elementor-widget elementor-widget-image" data-id="2592c13" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_rdi.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="config_rdi" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzE0LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL2NvbmZpZ19yZGkucG5nIn0%3D">
							<img decoding="async" width="750" height="530" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_rdi.png?fit=750%2C530&amp;ssl=1" class="attachment-large size-large wp-image-314" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_rdi.png?w=1191&amp;ssl=1 1191w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_rdi.png?resize=300%2C212&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_rdi.png?resize=1024%2C724&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/config_rdi.png?resize=768%2C543&amp;ssl=1 768w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-3753496 elementor-widget elementor-widget-text-editor" data-id="3753496" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">With the proper config file now formatted we are getting closer to having operational malware. However, there are still a few hang ups. Let’s revisit the breakpoint we put on the myDecode function and print out each decoded value again. If you recall, the sixth string we tried to print came out as an empty string. Let’s see if anything has changed there.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-63aea9a elementor-widget elementor-widget-image" data-id="63aea9a" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/encoded_ip.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="encoded_ip" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzI0LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL2VuY29kZWRfaXAucG5nIn0%3D">
							<img decoding="async" width="750" height="356" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/encoded_ip.png?fit=750%2C356&amp;ssl=1" class="attachment-large size-large wp-image-324" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/encoded_ip.png?w=789&amp;ssl=1 789w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/encoded_ip.png?resize=300%2C143&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/encoded_ip.png?resize=768%2C365&amp;ssl=1 768w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-fb376cb elementor-widget elementor-widget-text-editor" data-id="fb376cb" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">Interesting! The decoded string now turns up as “749060607.” Notice that this string is decoded right after the “domain” string is decoded. Just by looking we can tell that it’s the same length of the localhost IP address that we supplied – 127.0.0.1.</span></p><p><span style="font-weight: 400;">If we use the myDecode.py script we wrote and run it on 127.0.0.1 is it possible that we get “749060607”?</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-d4126c4 elementor-widget elementor-widget-image" data-id="d4126c4" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_xored.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="localhost_xored" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzI1LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL2xvY2FsaG9zdF94b3JlZC5wbmcifQ%3D%3D">
							<img decoding="async" width="408" height="139" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_xored.png?fit=408%2C139&amp;ssl=1" class="attachment-large size-large wp-image-325" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_xored.png?w=408&amp;ssl=1 408w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_xored.png?resize=300%2C102&amp;ssl=1 300w" sizes="(max-width: 408px) 100vw, 408px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-b800de8 elementor-widget elementor-widget-text-editor" data-id="b800de8" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">Sure enough! That seems to be the case. So as it turns out, the IP address that we use in our config file has to be encoded using the XOR scheme. This is wise on the attacker’s end. It ensures that even if the config file is found the Command and Control IP or domain isn’t discoverable in plain text. It also ensures the C2 they use can’t be picked up by a simple YARA rule if they’re using a known malicious IP address (which this particular actor did! Again, see the <a href="https://youtu.be/ObiSt_RYOOM">Macdoored</a> video for more details). So if we want to see a successful connection from this malware we have to ensure that the IP (or domain) stored in the config file is first encoded accordingly. Since XOR is reversible and we already know the scheme being used, this ends up being quite simple. We can do it by flipping a single operator in our python myDecode script.</span></p><p><span style="font-weight: 400;">ascii = (ord(x) + 0x4) ^ 0x2</span></p><p><span style="font-weight: 400;">to</span></p><p><span style="font-weight: 400;">ascii = (ord(x) – 0x4) ^ 0x2</span></p><p><span style="font-weight: 400;">Which gives us 127.0.0.1 in the needed masked format which can be decoded properly after we update our config file.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-a783a69 elementor-widget elementor-widget-image" data-id="a783a69" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_encoded.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="localhost_encoded" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzI2LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL2xvY2FsaG9zdF9lbmNvZGVkLnBuZyJ9">
							<img decoding="async" width="391" height="115" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_encoded.png?fit=391%2C115&amp;ssl=1" class="attachment-large size-large wp-image-326" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_encoded.png?w=391&amp;ssl=1 391w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_encoded.png?resize=300%2C88&amp;ssl=1 300w" sizes="(max-width: 391px) 100vw, 391px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-c76d51c elementor-widget elementor-widget-image" data-id="c76d51c" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_decoded_correctly.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="localhost_decoded_correctly" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzI4LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL2xvY2FsaG9zdF9kZWNvZGVkX2NvcnJlY3RseS5wbmcifQ%3D%3D">
							<img decoding="async" width="493" height="281" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_decoded_correctly.png?fit=493%2C281&amp;ssl=1" class="attachment-large size-large wp-image-328" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_decoded_correctly.png?w=493&amp;ssl=1 493w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_decoded_correctly.png?resize=300%2C171&amp;ssl=1 300w" sizes="(max-width: 493px) 100vw, 493px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-dbcb4d6 elementor-widget elementor-widget-text-editor" data-id="dbcb4d6" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">Now you’d think we would be about ready to get a connection back to our C2 server. However, TinyTim has one more anti-debugging trick up its sleeve. If we take a look at the main() function again in pseudocode we’ll notice that the connect() function getting called is dependent upon a non-matching string compare.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-22d7255 elementor-widget elementor-widget-image" data-id="22d7255" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_check.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="localhost_check" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzMwLCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL2xvY2FsaG9zdF9jaGVjay5wbmcifQ%3D%3D">
							<img decoding="async" width="750" height="318" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_check.png?fit=750%2C318&amp;ssl=1" class="attachment-large size-large wp-image-330" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_check.png?w=1030&amp;ssl=1 1030w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_check.png?resize=300%2C127&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_check.png?resize=1024%2C434&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/localhost_check.png?resize=768%2C326&amp;ssl=1 768w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-e2c4cfc elementor-widget elementor-widget-text-editor" data-id="e2c4cfc" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">Let’s add a breakpoint on this strcmp function and see what’s being compared here by printing registers RDI and RSI (the first and second args passed into strcmp).</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-37584ea elementor-widget elementor-widget-image" data-id="37584ea" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/strcmp_localhost.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="strcmp_localhost" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzMyLCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL3N0cmNtcF9sb2NhbGhvc3QucG5nIn0%3D">
							<img decoding="async" width="750" height="480" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/strcmp_localhost.png?fit=750%2C480&amp;ssl=1" class="attachment-large size-large wp-image-332" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/strcmp_localhost.png?w=1383&amp;ssl=1 1383w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/strcmp_localhost.png?resize=300%2C192&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/strcmp_localhost.png?resize=1024%2C656&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/strcmp_localhost.png?resize=768%2C492&amp;ssl=1 768w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-7fbabef elementor-widget elementor-widget-text-editor" data-id="7fbabef" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">Of course. Before a connection is made to the specified C2 a check is done to ensure that this is not an attempt to connect to the same computer that is running the malware. Another smart move by the malware author. There are many ways to get around this. For simplicity I will start the Tinyshell server inside a VM, take the local IP address of that VM,  remask the IP with the XOR scheme, and add it to the config file. Problem solved. Running TinyTim will now create a connection back to my Tinyshell server on my VM. This unveils the final hiccup.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-e4eb546 elementor-widget elementor-widget-image" data-id="e4eb546" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/password_prompt.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="password_prompt" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzM0LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL3Bhc3N3b3JkX3Byb21wdC5wbmcifQ%3D%3D">
							<img decoding="async" width="750" height="447" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/password_prompt.png?fit=750%2C447&amp;ssl=1" class="attachment-large size-large wp-image-334" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/password_prompt.png?w=1189&amp;ssl=1 1189w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/password_prompt.png?resize=300%2C179&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/password_prompt.png?resize=1024%2C610&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/password_prompt.png?resize=768%2C457&amp;ssl=1 768w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-1b8e1b9 elementor-widget elementor-widget-text-editor" data-id="1b8e1b9" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: normal;">TinyTim wants a password. This is expected since in its open-source form Tinyshell requires a user to enter their password.&nbsp; However, since we didn&#8217;t see a password option specified in the config file we know that it has to be stored within the executable somewhere. The open source Tinyshell refers to the password as &#8220;secret&#8221;.&nbsp; In Hopper, we can do a simple search for &#8220;secret&#8221;.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-acc63cf elementor-widget elementor-widget-image" data-id="acc63cf" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/xref_secret.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="xref_secret" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzM3LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL3hyZWZfc2VjcmV0LnBuZyJ9">
							<img decoding="async" width="750" height="318" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/xref_secret.png?fit=750%2C318&amp;ssl=1" class="attachment-large size-large wp-image-337" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/xref_secret.png?w=1103&amp;ssl=1 1103w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/xref_secret.png?resize=300%2C127&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/xref_secret.png?resize=1024%2C434&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/xref_secret.png?resize=768%2C326&amp;ssl=1 768w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-93dd303 elementor-widget elementor-widget-text-editor" data-id="93dd303" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">Here we see an XREF pointing to an interesting string “`lcc ,./3”. We can try using this as a password but the odds are probably good that this, like every other string in the executable, is actually encoded. So we will decode it first with our python script.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-93000c0 elementor-widget elementor-widget-image" data-id="93000c0" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/password.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="password" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzM4LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL3Bhc3N3b3JkLnBuZyJ9">
							<img decoding="async" width="408" height="117" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/password.png?fit=408%2C117&amp;ssl=1" class="attachment-large size-large wp-image-338" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/password.png?w=408&amp;ssl=1 408w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/password.png?resize=300%2C86&amp;ssl=1 300w" sizes="(max-width: 408px) 100vw, 408px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-c6635a2 elementor-widget elementor-widget-text-editor" data-id="c6635a2" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: normal;">The password seems to be free&amp;2015</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-4e65baf elementor-widget elementor-widget-image" data-id="4e65baf" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
								<div class="elementor-image">
													<a href="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/connected.png?ssl=1" data-elementor-open-lightbox="yes" data-elementor-lightbox-title="connected" data-e-action-hash="#elementor-action%3Aaction%3Dlightbox%26settings%3DeyJpZCI6MzM5LCJ1cmwiOiJodHRwczpcL1wvdGhlbWl0dGVubWFjLmNvbVwvd3AtY29udGVudFwvdXBsb2Fkc1wvMjAxOVwvMTJcL2Nvbm5lY3RlZC5wbmcifQ%3D%3D">
							<img decoding="async" width="750" height="383" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/connected.png?fit=750%2C383&amp;ssl=1" class="attachment-large size-large wp-image-339" alt="" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/connected.png?w=1264&amp;ssl=1 1264w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/connected.png?resize=300%2C153&amp;ssl=1 300w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/connected.png?resize=1024%2C523&amp;ssl=1 1024w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2019/12/connected.png?resize=768%2C393&amp;ssl=1 768w" sizes="(max-width: 750px) 100vw, 750px" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-c2dafe1 elementor-widget elementor-widget-text-editor" data-id="c2dafe1" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">And at last we’re in business. The goal this entire time has been to get the malware to connect to our C2 server to see if it’s further modified in any way. As it turns out, from here on out this malware behaves just like open source Tinyshell. So the major additions were the encoded strings, the addition of a config file for quick changes, and a handful of anti-debugging techniques. Rather than continuing to use our decompiler, it makes more sense to just look at the Tinyshell client source code.</span></p>					</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-21145b8 elementor-widget-divider--view-line elementor-widget elementor-widget-divider" data-id="21145b8" data-element_type="widget" data-widget_type="divider.default">
				<div class="elementor-widget-container">
					<div class="elementor-divider">
			<span class="elementor-divider-separator">
						</span>
		</div>
				</div>
				</div>
				<div class="elementor-element elementor-element-9b0427e elementor-widget elementor-widget-heading" data-id="9b0427e" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Conclusion</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-5cc8557 elementor-widget elementor-widget-text-editor" data-id="5cc8557" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
								<div class="elementor-text-editor elementor-clearfix">
				<p><span style="font-weight: 400;">In 2013 Securelist</span><a href="https://securelist.com/cyber-attacks-against-uyghur-mac-os-x-users-intensify/64259/"><span style="font-weight: 400;"> did a blog post</span></a><span style="font-weight: 400;"> regarding a campaign targeting Uyghur Mac users. The blog post provided solid technical detail revealing that the Mac ported sample seemed a bit less sophisticated than the one discussed above. Of course that was seven years ago and Mac security was even less of a concern than it is now. Although this malware is rare I wouldn’t be surprised if it was still being used in targeted intrusions as I&#8217;ve run into it multiple times throughout my career. The shared code is very solid ground as far as backdoors go and is easy to integrate into other projects while keeping the executable size small. If you’ve encountered this malware or have additional samples and you’re comfortable (and legally capable of) sharing, please feel free to reach out.</span></p>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
									</div>
			</div>
					</div>
		</div>
		<div class="section section-blog-info">
			<div class="row">
				<div class="col-md-6">
					<div class="entry-categories">Categories:						<span class="label label-primary"><a href="https://themittenmac.com/category/malware/">Malware</a></span>					</div>
					<div class="entry-tags">Tags: <span class="entry-tag"><a href="https://themittenmac.com/tag/malware/" rel="tag">malware</a></span><span class="entry-tag"><a href="https://themittenmac.com/tag/reversing/" rel="tag">reversing</a></span></div>				</div>
				
        <div class="col-md-6">
            <div class="entry-social">
                <a target="_blank" rel="tooltip"
                   data-original-title="Share on Facebook"
                   class="btn btn-just-icon btn-round btn-facebook"
                   href="https://www.facebook.com/sharer.php?u=https://themittenmac.com/tinyshell-under-the-microscope/">
                   <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 320 512" width="20" height="17"><path fill="currentColor" d="M279.14 288l14.22-92.66h-88.91v-60.13c0-25.35 12.42-50.06 52.24-50.06h40.42V6.26S260.43 0 225.36 0c-73.22 0-121.08 44.38-121.08 124.72v70.62H22.89V288h81.39v224h100.17V288z"></path></svg>
                </a>
                
                <a target="_blank" rel="tooltip"
                   data-original-title="Share on Twitter"
                   class="btn btn-just-icon btn-round btn-twitter"
                   href="http://twitter.com/share?url=https://themittenmac.com/tinyshell-under-the-microscope/&#038;text=Tinyshell%20Under%20the%20Microscope">
                   <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" width="20" height="17"><path fill="currentColor" d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"></path></svg>
                </a>
                
                <a rel="tooltip"
                   data-original-title=" Share on Email"
                   class="btn btn-just-icon btn-round"
                   href="mailto:?subject=Tinyshell%20Under%20the%20Microscope&#038;body=https://themittenmac.com/tinyshell-under-the-microscope/">
                    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512" width="20" height="17"><path fill="currentColor" d="M502.3 190.8c3.9-3.1 9.7-.2 9.7 4.7V400c0 26.5-21.5 48-48 48H48c-26.5 0-48-21.5-48-48V195.6c0-5 5.7-7.8 9.7-4.7 22.4 17.4 52.1 39.5 154.1 113.6 21.1 15.4 56.7 47.8 92.2 47.6 35.7.3 72-32.8 92.3-47.6 102-74.1 131.6-96.3 154-113.7zM256 320c23.2.4 56.6-29.2 73.4-41.4 132.7-96.3 142.8-104.7 173.4-128.7 5.8-4.5 9.2-11.5 9.2-18.9v-19c0-26.5-21.5-48-48-48H48C21.5 64 0 85.5 0 112v19c0 7.4 3.4 14.3 9.2 18.9 30.6 23.9 40.7 32.4 173.4 128.7 16.8 12.2 50.2 41.8 73.4 41.4z"></path></svg>
               </a>
            </div>
		</div>			</div>
			<hr>
					</div>
		</div>		</div>
</article>

		</div>
	</div>
</div>

			<div class="section related-posts">
				<div class="container">
					<div class="row">
						<div class="col-md-12">
							<h2 class="hestia-title text-center">Related Posts</h2>
							<div class="row">
																	<div class="col-md-4">
										<div class="card card-blog">
																							<div class="card-image">
													<a href="https://themittenmac.com/what-does-apt-activity-look-like-on-macos/" title="What does APT Activity Look Like on MacOS?">
														<img width="360" height="240" src="https://i0.wp.com/themittenmac.com/wp-content/uploads/2020/03/Screen-Shot-2020-03-12-at-11.37.27-AM.png?resize=360%2C240&amp;ssl=1" class="attachment-hestia-blog size-hestia-blog wp-post-image" alt="" decoding="async" loading="lazy" srcset="https://i0.wp.com/themittenmac.com/wp-content/uploads/2020/03/Screen-Shot-2020-03-12-at-11.37.27-AM.png?resize=360%2C240&amp;ssl=1 360w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2020/03/Screen-Shot-2020-03-12-at-11.37.27-AM.png?zoom=2&amp;resize=360%2C240&amp;ssl=1 720w, https://i0.wp.com/themittenmac.com/wp-content/uploads/2020/03/Screen-Shot-2020-03-12-at-11.37.27-AM.png?zoom=3&amp;resize=360%2C240&amp;ssl=1 1080w" sizes="(max-width: 360px) 100vw, 360px" />													</a>
												</div>
																						<div class="content">
												<h6 class="category text-info"></h6>
												<h4 class="card-title">
													<a class="blog-item-title-link" href="https://themittenmac.com/what-does-apt-activity-look-like-on-macos/" title="What does APT Activity Look Like on MacOS?" rel="bookmark">
														What does APT Activity Look Like on MacOS?													</a>
												</h4>
												<p class="card-description">What does APT Activity Look Like on macOS? I often get asked what Advanced Persistent Activity (APT) or nation state hacking looks like on a macOS system. This is a great question and the answer<a class="moretag" href="https://themittenmac.com/what-does-apt-activity-look-like-on-macos/"> Read more&hellip;</a></p>
											</div>
										</div>
									</div>
																							</div>
						</div>
					</div>
				</div>
			</div>
			<div class="footer-wrapper">
						<footer class="footer footer-black footer-big">
						<div class="container">
																<div class="hestia-bottom-footer-content"><ul id="menu-up-top-1" class="footer-menu pull-left"><li class="menu-item menu-item-type-post_type menu-item-object-page current_page_parent menu-item-1554"><a href="https://themittenmac.com/blog/">Blog</a></li>
<li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1550"><a href="https://themittenmac.com/elementor-1520/">Training</a></li>
<li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1551"><a href="https://themittenmac.com/tools/">Tools</a></li>
<li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1552"><a href="https://themittenmac.com/book/">Book</a></li>
<li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1553"><a href="https://themittenmac.com/github/">GitHub</a></li>
</ul><div class="copyright pull-right">Hestia | Developed by <a href="https://themeisle.com" rel="nofollow">ThemeIsle</a></div></div>			</div>
					</footer>
				</div>
	</div>
<img src="" id="fsb_image" alt=""/><!-- Enter your scripts here --><link rel='stylesheet' id='font-awesome-5-all-css' href='https://themittenmac.com/wp-content/themes/hestia/assets/font-awesome/css/all.min.css?ver=1.0.2' type='text/css' media='all' />
<link rel='stylesheet' id='font-awesome-4-shim-css' href='https://themittenmac.com/wp-content/themes/hestia/assets/font-awesome/css/v4-shims.min.css?ver=1.0.2' type='text/css' media='all' />
<link rel='stylesheet' id='e-animations-css' href='https://themittenmac.com/wp-content/plugins/elementor/assets/lib/animations/animations.min.css?ver=3.11.5' type='text/css' media='all' />
<script type='text/javascript' src='https://themittenmac.com/wp-content/plugins/jetpack/_inc/build/photon/photon.min.js?ver=20191001' id='jetpack-photon-js'></script>
<script type='text/javascript' src='https://themittenmac.com/wp-includes/js/comment-reply.min.js?ver=6.1.1' id='comment-reply-js'></script>
<script type='text/javascript' src='https://themittenmac.com/wp-content/themes/hestia/assets/bootstrap/js/bootstrap.min.js?ver=1.0.2' id='jquery-bootstrap-js'></script>
<script type='text/javascript' src='https://themittenmac.com/wp-includes/js/jquery/ui/core.min.js?ver=1.13.2' id='jquery-ui-core-js'></script>
<script type='text/javascript' id='hestia_scripts-js-extra'>
/* <![CDATA[ */
var requestpost = {"ajaxurl":"https:\/\/themittenmac.com\/wp-admin\/admin-ajax.php","disable_autoslide":"","masonry":""};
/* ]]> */
</script>
<script type='text/javascript' src='https://themittenmac.com/wp-content/themes/hestia/assets/js/script.min.js?ver=3.0.29' id='hestia_scripts-js'></script>
<script type='text/javascript' src='https://themittenmac.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.11.5' id='elementor-webpack-runtime-js'></script>
<script type='text/javascript' src='https://themittenmac.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.11.5' id='elementor-frontend-modules-js'></script>
<script type='text/javascript' src='https://themittenmac.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.0.2' id='elementor-waypoints-js'></script>
<script type='text/javascript' src='https://themittenmac.com/wp-content/plugins/elementor/assets/lib/swiper/swiper.min.js?ver=5.3.6' id='swiper-js'></script>
<script type='text/javascript' src='https://themittenmac.com/wp-content/plugins/elementor/assets/lib/share-link/share-link.min.js?ver=3.11.5' id='share-link-js'></script>
<script type='text/javascript' src='https://themittenmac.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js?ver=4.9.0' id='elementor-dialog-js'></script>
<script type='text/javascript' id='elementor-frontend-js-before'>
var elementorFrontendConfig = {"environmentMode":{"edit":false,"wpPreview":false,"isScriptDebug":false},"i18n":{"shareOnFacebook":"Share on Facebook","shareOnTwitter":"Share on Twitter","pinIt":"Pin it","download":"Download","downloadImage":"Download image","fullscreen":"Fullscreen","zoom":"Zoom","share":"Share","playVideo":"Play Video","previous":"Previous","next":"Next","close":"Close"},"is_rtl":false,"breakpoints":{"xs":0,"sm":480,"md":768,"lg":1025,"xl":1440,"xxl":1600},"responsive":{"breakpoints":{"mobile":{"label":"Mobile","value":767,"default_value":767,"direction":"max","is_enabled":true},"mobile_extra":{"label":"Mobile Extra","value":880,"default_value":880,"direction":"max","is_enabled":false},"tablet":{"label":"Tablet","value":1024,"default_value":1024,"direction":"max","is_enabled":true},"tablet_extra":{"label":"Tablet Extra","value":1200,"default_value":1200,"direction":"max","is_enabled":false},"laptop":{"label":"Laptop","value":1366,"default_value":1366,"direction":"max","is_enabled":false},"widescreen":{"label":"Widescreen","value":2400,"default_value":2400,"direction":"min","is_enabled":false}}},"version":"3.11.5","is_static":false,"experimentalFeatures":{"landing-pages":true,"kit-elements-defaults":true},"urls":{"assets":"https:\/\/themittenmac.com\/wp-content\/plugins\/elementor\/assets\/"},"swiperClass":"swiper-container","settings":{"page":[],"editorPreferences":[]},"kit":{"active_breakpoints":["viewport_mobile","viewport_tablet"],"global_image_lightbox":"yes","lightbox_enable_counter":"yes","lightbox_enable_fullscreen":"yes","lightbox_enable_zoom":"yes","lightbox_enable_share":"yes","lightbox_title_src":"title","lightbox_description_src":"description"},"post":{"id":241,"title":"Tinyshell%20Under%20the%20Microscope%20%E2%80%93%20The%20Mitten%20Mac","excerpt":"Back in 2018 I presented a talk titled \u201cMacdoored\u201d at a handful of small conferences. This talk was about various APT attacks I\u2019d seen targeting Macs. In the talk I take a minute to mention the backdoor that the attackers were using which was a modified version of Tinyshell...","featuredImage":"https:\/\/i0.wp.com\/themittenmac.com\/wp-content\/uploads\/2019\/12\/mydecode_args.png?fit=642%2C443&ssl=1"}};
</script>
<script type='text/javascript' src='https://themittenmac.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.11.5' id='elementor-frontend-js'></script>
<script type='text/javascript' src='https://themittenmac.com/wp-content/plugins/elementor/assets/js/preloaded-modules.min.js?ver=3.11.5' id='preloaded-modules-js'></script>
<script type='text/javascript' src='https://themittenmac.com/wp-includes/js/underscore.min.js?ver=1.13.4' id='underscore-js'></script>
<script type='text/javascript' id='wp-util-js-extra'>
/* <![CDATA[ */
var _wpUtilSettings = {"ajax":{"url":"\/wp-admin\/admin-ajax.php"}};
/* ]]> */
</script>
<script type='text/javascript' src='https://themittenmac.com/wp-includes/js/wp-util.min.js?ver=6.1.1' id='wp-util-js'></script>
<script type='text/javascript' id='wpforms-elementor-js-extra'>
/* <![CDATA[ */
var wpformsElementorVars = {"captcha_provider":"recaptcha","recaptcha_type":"v2"};
/* ]]> */
</script>
<script type='text/javascript' src='https://themittenmac.com/wp-content/plugins/wpforms-lite/assets/js/integrations/elementor/frontend.min.js?ver=1.8.0.2' id='wpforms-elementor-js'></script>
	<script src='https://stats.wp.com/e-202311.js' defer></script>
	<script>
		_stq = window._stq || [];
		_stq.push([ 'view', {v:'ext',blog:'169571236',post:'241',tz:'0',srv:'themittenmac.com',j:'1:11.9.1'} ]);
		_stq.push([ 'clickTrackerInit', '169571236', '241' ]);
	</script></body>
</html>
